Documentation is available from Cypress, it should not be too difficult to write a malicious firmware upgrade

Device should be able to act as a HID keyboard entering a predefined keystroke sequence, e.g. to download a Powershell script from the Internet.

Bootloader information:
http://www.cypress.com/?rID=12994
The term "user code" refers to the actual firmware of the device
providing the intended functionality such as a USB HID mouse.
On powerup, the bootloader verifies a 16 bit checksum of the user code.
If it matches, it jumps to the user code.
If it does not match, the device goes to bootloader mode and
communicates with the computer via USB. There are commands for reading
and writing the flash contents.
Unfortunately, the bootloder requires an 8 byte bootloader key. However,
the key verification is done on a byte-by-byte basis (assembly listings
are available in the ZIP file from Cypress) and so it could be
incrementally guessed by counting the number of clock cycles until the
verification fails. It is likely that the bootloader key is equal for a
large number of produced units and so it would probably be enough to
extract it in a lab setup for a few units.
In a lab setup, it is probably possible to make the flash checksum
verification fail e.g. via voltage glitching, clock glitching, extreme
temperatures or UV/X-Ray radiation so that the device boots into
bootloader code. Then the bootloader key can be extracted by guessing
bytes and counting the number of clock cycles the verification takes.
After that, it should be possible to extract the firmware binary for
reverse engineering. Once the firmware is available, it may be possible
to find a hidden command which allows switching the device to bootloader
mode via a special USB command (so that other identical devices can be
reprogrammed via USB).
*Update:* It looks like the controller itself has a proprietary non-USB
programming protocol. The USB bootloader from http://www.cypress.com/?rID=12994
is optional and I do not know how many actual devices come shipped with a
USB bootloader at all.
The integrated programming functionality can be accessed with a programmer,
which is available for 30$ from Cypress:
http://www.cypress.com/?rID=37459
The following document describes the update process:
http://www.cypress.com/?docID=19520
If there is no bootloader, the chips can still be reflashed via the USB contacts
using a custom (non-USB) protocol with a MiniProg programming adapter.
However, the controller does have flash protection fuses. I do not know
whether these fuses are set for typical low cost USB devices.
*Update 20141107:*
I have tried to read out the chip with a Cypress Miniprog adapter. Unfortunately,
the flash protection fuses are set and I could only read one 64-byte block of the
flash memory. Since I cannot dump the firmware, I can't tell whether there is a
USB bootloader on the chip or not.